HIPAA Audits: Ready or Not, Here They Come!

On March 21, 2016, the Office of Civil Rights (OCR) announced it will launch a second round of HIPAA audits in 2016. As with the first round of audits, in round two, OCR will be reviewing compliance with HIPAA privacy, security and breach notification rules. New for this round, the 2016 audits will focus on both covered entities, including group health plans, and their business associates.

The round two audits will occur in three phases: (1) desk audits of covered entities; (2) desk audits of business associates; and, finally (3) onsite reviews. It is reported that OCR will conduct about 200 total audits, the majority of which will be desk audits.

OCR has already begun the process of identifying the audit pool by contacting covered entities and business associates via email. Group health plans should be on the lookout for automated emails from OCR, which are being sent to confirm contact information. A response to the OCR email is required within 14 days. OCR instructed covered entities and business associates to check their spam or junk email folders to verify that emails from OCR are not erroneously identified as spam.

After the initial email, OCR will send a pre-audit questionnaire to entities it may choose to audit. Receiving a pre-audit questionnaire does not guarantee your group health plan will be audited. The purpose of the questionnaire is to gather information about entities and their operations (e.g., number of employees, level of revenue, etc.). The questionnaire will also require a group health plan to identify all of its business associates. Therefore, plan administrators who have not inventoried business associates should do so now.

Entities that fail to respond to the initial OCR email or questionnaire will still be eligible for audit. OCR will use publicly available information for unresponsive entities to create its audit pool.

OCR will then, in the “coming months,” randomly select entities to audit and notify them via email that they have been selected for audit.

Group health plans and business associates should check their HIPAA compliance status before they are contacted by OCR. Once selected for an audit, entities will only have 10 business days to provide the requested information to OCR.

Recent OCR enforcement activity has shown that noncompliance with HIPAA standards and specifications can be costly:

A Minnesota-based hospital entered into a $1.55 million settlement for failure to implement one business associate agreement and failure to conduct a HIPAA security risk analysis;

A teaching hospital of a university in Washington entered into a $750,000 settlement for failure to conduct an enterprise-wide HIPAA security risk analysis;

An insurance holding company based in Puerto Rico entered into a $3.5 million settlement for failure to implement a business associate agreement, conduct a HIPAA security risk analysis, implement security safeguards and for an improper disclosure of protected health information (PHI); and

A radiation oncology physician practice in Indiana entered into a $750,000 settlement for failure to conduct a HIPAA security risk analysis and implement security policies and procedures.

If you receive any communications from OCR, we strongly recommend that you contact a member of the Fox Rothschild Employee Benefits & Compensation Department immediately. A proactive review of your HIPAA compliance status can identify potential gaps and minimize the risk of potential penalties. For reference and to use as a guide, the following is a HIPAA compliance checklist for group health plans:

Identify all your fully insured group health plans and ensure that they do not receive protected health information, other than for limited purposes (PHI).

Determine whether for HIPAA purposes the group health plans are a hybrid entity, part of an affiliated covered entity or part of an organized health care arrangement. Document that status.

Ensure the self-insured group health plans were amended to put in place a firewall between the plan and plan sponsor and that the list of workforce members who can access PHI on behalf of the plan is accurate.

Ensure that a certification of plan amendment is in place.

Appoint a HIPAA privacy official.

Appoint a HIPAA security official.

Appoint a HIPAA privacy contact person who will handle complaints and respond to the exercise of participant rights.